EDR Bypass Challenges
36 challenges across 9 categories. Start with Easy and work your way up.
Category 1: Process Name Evasion
01 - Binary Rename
Rename a blacklisted tool to bypass process name detection
Easy02 - Case Sensitivity Exploit
Exploit case-sensitive string comparison in the blacklist
Easy03 - Copy and Rename
Copy a tool to a new filename to avoid detection
Easy04 - Unlisted Tool
Use a tool that isn't in the hardcoded blacklist
Category 2: Command Line Obfuscation
05 - Path Manipulation
Use path tricks to confuse the filename check
Easy06 - Caret Insertion
Use cmd.exe escape characters to break keyword matching
Medium07 - Environment Variable Substitution
Use environment variables to hide command keywords
Medium08 - Base64 Encoded Commands
Encode commands to bypass keyword detection
Easy09 - The Useless Rule
Discover why reconnaissance commands are never blocked
Category 3: Process Monitoring Bypass
10 - Timing Attack
Exploit the polling interval to execute undetected
Easy11 - Pre-Existing Process
Be running before the EDR starts monitoring
Medium12 - Living Off The Land
Use built-in tools and alternative commands
Medium13 - LSASS Without Keywords
Dump LSASS without triggering keyword detection
Medium14 - Tool Rename for LSASS
Rename dump tools to bypass the dual-condition rule
Category 4: Execution Evasion
15 - Alternative PowerShell Host
Execute PowerShell without powershell.exe
Medium16 - Elevated Process Evasion
Exploit the EDR's inability to read elevated processes
Medium17 - 32-Bit Process Evasion
Use a 32-bit process to break PEB reading
Hard18 - Unicode Process Names
Exploit ASCII-only string handling with Unicode characters
Category 5: Advanced Bypass
19 - Parent PID Spoofing
Spoof the parent process ID to confuse tracking
Easy20 - The Empty Hash Database
Discover that Rule 6 has no signatures without --signatures flag
Category 6: API Hook Evasion
Requires --profile flag (e.g. --profile crowdstrike). These challenges target Rule 7’s static import analysis using real EDR hook profiles from Mr-Un1k0d3r/EDRs.
21 - Dynamic API Resolution
Use GetProcAddress to resolve hooked APIs at runtime instead of static imports
Medium22 - DLL Proxy Call
Move the hooked API call into a DLL that the scanner doesn't inspect
Hard23 - Direct Syscalls
Skip ntdll.dll entirely using Hell's Gate direct syscall technique
Hard24 - ntdll.dll Unhooking
Restore ntdll.dll from disk to remove all userland hooks undetected
Category 7: ETW Bypass
Target the EDR’s ETW telemetry pipeline. The agent registers a custom ETW provider and trace session — blind it using session manipulation, memory patching, or patchless hooking techniques. See Breaking ETW and EDR and ETW-TI Deep Dive for background.
25 - Kill the Trace Session
Stop the hardcoded ETW trace session to blind the EDR's telemetry
Medium26 - Patch EtwEventWrite
Patch ntdll!EtwEventWrite to silently disable all user-mode ETW without triggering Rule 8
Medium27 - Provider Unregistration
Disable the EDR's provider from the trace session while keeping the session alive
Hard28 - Hardware Breakpoint Hook
Use debug registers and a VEH to intercept EtwEventWrite without modifying code bytes
Category 8: Signature Bypass
Requires --signatures flag (e.g. --signatures signatures/malware_hashes.txt). These challenges target Rule 6’s SHA256-based signature detection.
29 - Single-Byte Hash Evasion
Change one byte of a known binary to produce a completely different SHA256 hash
Easy30 - Read the Signature Database
The plaintext signature file reveals exactly which hashes the EDR knows
Hard31 - Process Hollowing vs Hash Check
Replace process memory after creation — the on-disk image hash stays clean
Easy32 - Recompile from Source
Same source code, different compiler run, completely different hash
Category 9: Packer & PE Evasion
These challenges target Rule 9’s PE structure analysis — packer detection, section name matching, and header integrity checks.
33 - UPX Section Name Rename
Pack with UPX to change the hash, then rename UPX0/UPX1 sections to evade packer detection
Hard34 - Custom Packer / Crypter
Build a custom packer with normal section names and no RWX — invisible to static analysis
Hard35 - PE Header Obfuscation
Use Astral-PE style header corruption to crash the EDR's PE parser silently
Hard36 - Runtime Unpacking
Clean stub on disk, decrypt and execute payload in memory — the EDR never re-scans
MostShittyEDR